This Metasploit module exploits a command injection vulnerability in an undocumented CGI file in several versions of the WePresent WiPG-1000 devices. Version 2.0.0.7 was confirmed vulnerable, 2.2.3.0 patched this vulnerability.
fdde35982e5ae8f4f3cfc494b6eb51af6b81f5d276ee9db4ad67d0db0267baf2
This Metasploit module exploits a vulnerability in the TinyMCE/tinybrowser plugin. This plugin is not secured in version 0.9 of VAMCart and allows the upload of files on the remote server. By renaming the uploaded file this vulnerability can be used to upload/execute code on the affected system.
2f631d7a476c9b413ae2de8686ab1f98d4e0e9c4ff4f224e34949b05e6bbf3c0
This Metasploit module exploits multiple cross site request forgery (CSRF) vulnerabilities in admin.php in PBBoard 2.1.4 to allow for arbitrary file upload / command execution.
f39d87cd2d0ecdc33b13e8ce46c0cbdb325accad08219c2178ea9f86295312c7
This Metasploit module exploits a stack-based buffer overflow found in the handling of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently targets SMPlayer 0.6.8, which is distributed with a vulnerable version of mplayer. The overflow is triggered when an unsuspecting victim opens a movie file first, followed by loading the malicious SAMI subtitles file from the GUI. Or, it can also be done from the console with the mplayer "-sub" option.
ff773c1737c09b314a58cb07dab372f6b99f077dc26dbd42fd59a36e56c907a7
This Metasploit module exploits a vulnerability found in Symantec Web Gateway's HTTP service. By injecting PHP code in the access log, it is possible to load it with a directory traversal flaw, which allows remote code execution under the context of 'apache'. Please note that it may take up to several minutes to retrieve access_log, which is about the amount of time required to see a shell back.
65a7306dea41b299aa10904fe0da0ef4f8feaaf8b06f2b42c12431d74226ce63
This Metasploit module exploits a vulnerability found in ispVM System 18.0.2. Due to the way ispVM handles .xcf files, it is possible to cause a buffer overflow with a specially crafted file, when a long value is supplied for the version attribute of the ispXCF tag. It results in arbitrary code execution under the context of the user.
dd306ebaa1dbb06e60f50cd822da5c809e6e45d3a3bec14bed35322b5703fd6a
This Metasploit module exploits a vulnerability found in QuickShare File Share's FTP service. By supplying "../" in the file path, it is possible to trigger a directory traversal flaw, allowing the attacker to read a file outside the virtual directory. By default, the "Writable" option is enabled during account creation, therefore this makes it possible to create a file at an arbitrary location, which leads to remote code execution.
6ec3545a1080c917dedf3c676152c00eb53f82eef025b7df8d5bd1ad6fb56805
This Metasploit module exploits a vulnerability found in WeBid version 1.0.2. By abusing the converter.php file, a malicious user can inject PHP code in the includes/currencies.php script without any authentication, which results in arbitrary code execution.
80a84c00e66900b12e9cef081970706d89671fdd6de08048a29a545f296cfe05
This Metasploit module exploits a vulnerability found in RabidHamster R4's web server. By supplying a malformed HTTP request, it is possible to trigger a stack-based buffer overflow when generating a log, which may result in arbitrary code execution under the context of the user.
9bd2fe133907afe8dae3b0872be07135e15c6152fbb081eaf7b8fefe328ad0a3
This Metasploit module exploits a vulnerability found in Dorn Content Management Script (CMS), version 1.4. By abusing the add_page.php file, the attacker can upload/add a new file (.php) to the /cms/pages/ directory without any authentication, which results in arbitrary code execution.
d9e8467b701cbfb9bbe903c58d26bef4b2a9541424f51ceb8b51542282f6f250
This Metasploit module exploits a vulnerability in OpenOffice 2.3.1 and 2.3.0 on Microsoft Windows XP SP3. By supplying a OLE file with a malformed DocumentSummaryInformation stream, an attacker can gain control of the execution flow, which results arbitrary code execution under the context of the user.
7f7fa7d76079ea7a99a629f8223bcb4b881b275d2d9b9c051e830361276e7852
This Metasploit module exploits a vulnerability found in appRain's Content Management Framework (CMF), version 0.1.5 or less. By abusing the uploadify.php file, a malicious user can upload a file to the uploads/ directory without any authentication, which results in arbitrary code execution.
ecfbba7aea3ed45a511e747ceee47ff495011c2a8d081ea91351b0810e76fecc
This Metasploit module exploits a vulnerability in the FlexNet License Server Manager. The vulnerability is due to the insecure usage of memcpy in the lmgrd service when handling network packets, which results in a stack buffer overflow. In order to improve reliability, this module will make lots of connections to lmgrd during each attempt to maximize its success.
2d6d029945aaecc2ac0003cb91c1250f912d627ce695077b2bfbd1919c57f669
This Metasploit module exploits a buffer overflow in Foxit Reader 3.0 builds 1301 and earlier. Due to the way Foxit Reader handles the input from an "Launch" action, it is possible to cause a stack-based buffer overflow, allowing an attacker to gain arbitrary code execution under the context of the user.
009165bbb7f39c130705ca1779b5bf21f2c3fd6f324d13329ecce60c590e0dcc
This Metasploit module exploits a vulnerability found in HP's StorageWorks P4000 VSA on versions prior to 9.5. By using a default account credential, it is possible to inject arbitrary commands as part of a ping request via port 13838.
1f354fd80321e3a8c75c32db994ccf7fbd51de54814d94d9641e5bfccae9d6f6
This Metasploit module exploits an arbitrary code injection vulnerability in the chat module that is part of Active Collab by abusing a preg_replace() using the /e modifier and its replacement string using double quotes. The vulnerable function can be found in activecollab/application/modules/chat/functions/html_to_text.php.
dc407149c6ca0f8de287ff88144c5d975efe9da8376d1ec83d0a3d2bd4d18f90
This Metasploit module exploits a stack based buffer overflow in the BEA Weblogic Apache plugin. The connector fails to properly handle specially crafted HTTP POST requests, resulting a buffer overflow due to the insecure usage of sprintf. Currently, this module works over Windows systems without DEP, and has been tested with Windows 2000 / XP. In addition, the Weblogic Apache plugin version is fingerprinted with a POST request containing a specially crafted Transfer-Encoding header.
c5633687f5d4dea297197de9035ee5ddaf873d0ee50394f6fa17d80638863e7f
This Metasploit module abuses the SVG support to execute Java Code in the Squiggle Browser included in the Batik framework 1.7 through a crafted svg file referencing a jar file. In order to gain arbitrary code execution, the browser must meet the following conditions: (1) It must support at least SVG version 1.1 or newer, (2) It must support Java code and (3) The "Enforce secure scripting" check must be disabled. The module has been tested against Windows and Linux platforms.
24c7b9f43ad4bc7ab845971e498435dbb71b35eb0f5542e9973eab4ad82fb513
This Metasploit module creates a buffer overflow condition by sending a Read Request (RRQ) packet to TFTP server version 1.4.
fa9a0be38e83a3162d8474b2cb10cba8e6ec243cb4cbcc36423fedb3d72656ab
This Metasploit module exploits a use-after-free vulnerability in Firefox 8/8.0.1 and 9/9.0.1. Removal of child nodes from the nsDOMAttribute can allow for a child to still be accessible after removal due to a premature notification of AttributeChildRemoved. Since mFirstChild is not set to NULL until after this call is made, this means the removed child will be accessible after it has been removed. By carefully manipulating the memory layout, this can lead to arbitrary code execution.
0750feb0c6b04b3e549b1720e08f8946c5ad47833c85f2914592e886fe867eb0
This Metasploit module exploits a vulnerability found in Distinct TFTP server. The software contains a directory traversal vulnerability that allows a remote attacker to write arbitrary file to the file system, which results in code execution under the context of 'SYSTEM'.
f9ed713ff3be483dd14a09fbef83afaa998846ace3aab19c3588c2a752aaa832
This Metasploit module exploits a vulnerability found in WikkaWiki. When the spam logging feature is enabled, it is possible to inject PHP code into the spam log file via the UserAgent header, and then request it to execute our payload. There are at least three different ways to trigger spam protection, this module does so by generating 10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6). Please note that in order to use the injection, you must manually pick a page first that allows you to add a comment, and then set it as 'PAGE'.
979dd7941c1071466332c8564dba032aa510362e1fb22f874339cf269936c50e
This Metasploit module exploits an out-of-bounds access flaw in Firefox 7 and 8 (versions 8.0.1 and below). The notification of nsSVGValue observers via nsSVGValue::NotifyObservers(x,y) uses a loop which can result in an out-of-bounds access to attacker-controlled memory. The mObserver ElementAt() function (which picks up pointers), does not validate if a given index is out of bound. If a custom observer of nsSVGValue is created, which removes elements from the original observer, and memory layout is manipulated properly, the ElementAt() function might pick up an attacker provided pointer, which can be leveraged to gain remote arbitrary code execution.
94acb924f037607a74196ffbd40dc6b26726a6b5e2a13e1caa089d6e3b0c2406
This Metasploit module exploits a SQL injection found in Solarwinds Storage Manager login interface. It will send a malicious SQL query to create a JSP file under the web root directory, and then let it download and execute our malicious executable under the context of SYSTEM.
f0082fe343289cee7851fb985c1987add9c8ebcb058523260ad6c25997867acf
When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This Metasploit module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: "if there is NO unescaped '=' in the query string, the string is split on '+' (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the "encoded in a system-defined manner" from the RFC) and then passes them to the CGI binary."
b19f8f4342eff5bad4cc51580c640170655b2809104d5e7835692a1eb116a923
This Metasploit modules exploits a vulnerability found in McAfee Virtual Technician's MVTControl. This ActiveX control can be abused by using the GetObject() function to load additional unsafe classes such as WScript.Shell, therefore allowing remote code execution under the context of the user.
ec86fdc2f4cc78d676680abb952cb10427dad174e2bed743fc0d8633dd49510a